~15 min · rotation, expiration, ca-issued
SSH 키도 password 처럼 나이 들어. 분기별 rotation 이 개인 fleet 에 옳은 cadence — 발견 안 된 침해의 폭발 반경 제한할 만큼 잦고, 일상 ops 노가다 안 될 만큼 드뭄. 한 번 해보면 절차가 기계적.
authorized_keys 에 새 public key 를 옛 거 옆에 배포.~/.ssh/config 새 키 사용으로 업데이트.Step 2 와 5 가 병렬화 가능 부분 — 거기가 fleet helper (Track 7) 자기 값 하는 곳.
# 1. Generate new key, fresh comment
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_2026q4 \
-C "$(whoami)@$(hostname -s)-2026q4"
# 2. Push new public key to every server (alongside old one)
for host in $(cat ~/.fleet/all.txt); do
ssh-copy-id -i ~/.ssh/id_ed25519_2026q4.pub "$host"
done
# 3. Update ~/.ssh/config to point at the new key
# Host *
# IdentityFile ~/.ssh/id_ed25519_2026q4
# 4. Test exhaustively
for host in $(cat ~/.fleet/all.txt); do
ssh -i ~/.ssh/id_ed25519_2026q4 \
-o IdentitiesOnly=yes \
-o ConnectTimeout=5 \
"$host" 'echo OK' || echo "$host FAILED"
done
# 5. Remove old public key from every server
OLD_FP=$(ssh-keygen -lf ~/.ssh/id_ed25519_OLD.pub | awk '{print $2}')
for host in $(cat ~/.fleet/all.txt); do
ssh "$host" "
cp ~/.ssh/authorized_keys ~/.ssh/authorized_keys.bak.\$(date +%s)
ssh-keygen -f ~/.ssh/authorized_keys -R '$OLD_FP' 2>/dev/null || \
sed -i.bak '/$OLD_COMMENT/d' ~/.ssh/authorized_keys
"
done
# 6. Finally, delete old private key locally
rm ~/.ssh/id_ed25519_OLD ~/.ssh/id_ed25519_OLD.pub아직 댓글이 없어요. 첫 댓글을 남겨보세요.